Date: Wed, 29 Dec 1999 15:31:46 +0100 From: Markus Friedl <Markus.Friedl@informatik.uni-erlangen.de> To: freebsd-security@FreeBSD.ORG Cc: Warner Losh <imp@village.org>, Fernando Schapachnik <fpscha@via-net-works.net.ar> Subject: Re: OpenSSH vulnerable to protocol flaw? Message-ID: <19991229153146.A25953@faui01.informatik.uni-erlangen.de> In-Reply-To: <no.id>; from owner-freebsd-security on Fri, Dec 28, 2007 at 12:07:49AM %2B0000 References: <199912161207.JAA22894@ns1.via-net-works.net.ar> <199912162104.OAA74270@harmony.village
next in thread | previous in thread | raw e-mail | index | archive | help
OpenSSH implements the SSH1 protocol. The mentioned flaw can only be fixed by breaking the protocol. I have an experimental patch that replaces CRC with hmac-sha1 among other things. send mail to markus@openssh.COM if you want to review/test/comment/crytoanalyze the patches. -markus On Fri, Dec 28, 2007 at 12:07:49AM +0000, owner-freebsd-security wrote: > Warner Losh <imp@village.org> writes: > > OpenSSH implements the ssh1 protocol, which is vulnerable to insertion > > attacks like the one described in bugtraq. I don't think they have > > changed the protocol at all, but I'm sure someone will tell me if I'm > > wrong. > > Random quotes from the advisory: > > Note that the new revision for the SSH protocol, proposed and > published as Internet Drafts [2],[3],[4] [5] makes use of > cryptographycally strong message authentication codes for > integrity checks that wont fail to these attacks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991229153146.A25953>